PHPGurukul Zoo Management System SQL Injection Vulnerability in Contact Us Admin Page

A critical SQL injection vulnerability has been identified in PHPGurukul Zoo Management System version 2.1. The issue resides in the admin/contactus.php file, specifically within an unknown function that processes the 'mobnum' parameter. This vulnerability allows remote attackers to inject malicious SQL queries, which could be executed without authentication. The lack of proper input validation for the 'mobnum' parameter enables exploitation, potentially leading to unauthorized database access, data manipulation, and disruption of services.

Impact

Exploitation of this vulnerability allows attackers to inject malicious SQL queries via the 'mobnum' parameter, leading to unauthorized database access and manipulation. This could include modifying or deleting data, accessing sensitive information, and disrupting normal service operations.

Reproduction

To reproduce this vulnerability, send a POST request to the '/admin/contactus.php' endpoint with the 'mobnum' parameter. Include a payload that exploits the SQL injection vulnerability, such as one that uses a time-based blind SQL injection technique, like injecting a SQL command that causes the database to pause processing for a few seconds before responding.

Remediation

It is recommended to validate and sanitize user inputs, particularly the 'mobnum' parameter, to prevent SQL injection. Implementing prepared statements and parameterized queries can also help mitigate this vulnerability.